-
|
I'm looking for the recommendation in case of too many subdomains in the CSP response header. |
Beta Was this translation helpful? Give feedback.
Replies: 8 comments 2 replies
-
|
Nice question indeed 👍 If I have understood, your point is, for example regarding the following site with the following set of sub domains: How to use CSP to only allow content from |
Beta Was this translation helpful? Give feedback.
-
Not exactly. I meant in case of the CSP header is too big that cause problems in certain web frameworks like:
AFAIK the HTTP RFC do not specify a limit and some frameworks can breaks when receiving a big header. |
Beta Was this translation helpful? Give feedback.
-
|
BTW I posted the same question here https://lists.w3.org/Archives/Public/public-webappsec/2024Oct/0010.html to try get some info from the browser devs. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the clarification, I will take a look as well and keep you posted with the results. |
Beta Was this translation helpful? Give feedback.
-
|
@riramar Do you have received any feedback about your question? 🤔If I'm not wrong, in case of a large CSP policy sent by the app server or the WAF or the reverse proxy, it is the browser or any network device handling the HTTP response that will cut or alter the CSP received. At the framework level, it is just a string. Do you have an example to allow me to better understand the issue, and its context, in order that I work on a proposal? Thanks a lot in advance for your insights 😃 |
Beta Was this translation helpful? Give feedback.
-
|
Hi @righettod I don't have a specific example for that. I found this paper from 2016 on Google which seems to point to the right direction. https://research.google/pubs/csp-is-dead-long-live-csp-on-the-insecurity-of-whitelists-and-the-future-of-content-security-policy/ The entire paper PDF can be found here: https://dl.acm.org/doi/pdf/10.1145/[2976749.2978363](https://dl.acm.org/doi/pdf/10.1145/2976749.2978363) Regards, |
Beta Was this translation helpful? Give feedback.
-
|
👨💻I performed the following test. 📝Test page generating a large CSP based on a number of subdomains to add into the <?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
$csp="default-src 'self'; img-src 'self'";
$cnt=intval($_GET["c"]);
for ($x = 0; $x <= $cnt; $x++) {
$csp .= " https://sub$x.righettod.eu";
}
$csp .= ";";
header("Content-type: text/html; charset=utf-8");
header("Content-Security-Policy: $csp", True, 200);
?>
<!DOCTYPE html>
<html>
<head>
<title>test</title>
</head>
<body>
<b>CSP policy generated (length: <?php echo(strlen($csp)); ?> characters): </b><br>
<code><?php echo($csp); ?><br>
<script>alert("test xss");</script>
</body>
</html>🌏Page exposed on Internet via a segfault instance:
💻Test of generation of 1000 subdomains and loading of the page in the Firefox 132.0.2 (last release):
✅CSP correctly loaded and applied to block the inline JS code. 💻Same test in Chromium 131.0.6755.0:
✅CSP correctly loaded and applied to block the inline JS code. 💻Same tes in Edge 131.0.2903.51 (last release):
✅CSP correctly loaded and applied to block the inline JS code. 👨💻I tested to reach the limit. 💻For Edge and Chromium it was when CSP was above 261926 characters:
💻For FF it was when CSP was above 392995 characters:
👀Above the limit specified, the error was the following on the browser side (response correctly generated and sent by the php server):
|
Beta Was this translation helpful? Give feedback.
-
|
Based on the test performed, for me, modern browsers like Chromium based ones or FF supports sufficient size to specify a large CSP in case of need. |
Beta Was this translation helpful? Give feedback.
-
|
Agreed! I think in that case we can close this topic. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks to you for this very interesting question 💯 |
Beta Was this translation helpful? Give feedback.
Based on the test performed, for me, modern browsers like Chromium based ones or FF supports sufficient size to specify a large CSP in case of need.